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Abstract — We consider an extension of Massey's construction 
of secret sliaring schemes using linear codes. We describe the 
access structure of the scheme and show its connection to the dual 
code. We use the g-fold joint weight enumerator and invariant 
theory to study the access structure. 



I. Introduction 

A secret sharing scheme is a process of distributing a secret 
to a set of participants in such a way that only certain subsets 
of them can determine the secret. The set of all subsets which 
can determine the secret is called the access structure of the 
scheme. Secret sharing schemes were introduced in 1979 (11], 
TH] ) and since then, different schemes were constructed. For a 
general introduction to secret sharing schemes, see for instance 
[TJI. An important class of secret sharing schemes are those 
which are based on linear codes. The relation between secret 
sharing schemes and linear codes was first presented in |9]|. 
The access structure of schemes based on self-dual codes was 
analyzed in [6i using some properties of the codes. 

In this work, we consider an extension of the construction 
method in [Tol. This construction is presented in Section 2. In 
Section 3, we characterize the groups that can determine the 
secret. In Sections 4-6, we describe the access structure of the 
scheme by extending the techniques used in ||6|. 

II. Codes and Secret Sharing Schemes 

Let ¥q stand for the finite field of order q, where g is a 
prime power The Hamming weight wt('i7) of a vector v in F^' 
is the number of its non-zero coordinates while the support 
of V is given by supp(i/) ^ {i : Vi ^ 0,1 < i < n}. An 
[n, k, d] linear code C is a linear subspace of F^* where k 
is the dimension and d is the minimum Hamming weight. A 
generator matrix G for a code C is a matrix whose rows form 
a basis for C. For any linear code C, we denote by its 
dual under the usual inner product. A code C is said to be 
self-orthogonal if C C and it is self-dual if C = C^. 

We consider the following secret sharing scheme. Let V = 
{Pi, . . . , Pn} be the set of participants. Suppose we want to 
share the secret s = {si, S2, ■ ■ ■ , si) € F^. Let C be an [/ + 
n, k,d] linear code over ¥q with d > I. Consider a generator 
matrix G — [Gi, . . . ,Gi, Gi+i, . . . , Gi+n] of C where Gi is 
the ith column. To generate the shares, the dealer picks a 



vector u such that uGi — Si for 1 < i < L A codeword 
c = ilG is then computed. Now the share of Pi is cj+i for 
i = 1, . . . ,1. Note that when / = 1 then we have Massey's 
construction [jlOJ . We also remark that this construction was 
mentioned in ||9l in the case of Reed-Solomon codes. 

Let B = C v. We have the following 

result from |2|. The participants in B can recover the secret if 
span(Gi, . . . , Gi) C span(Gij , . . . , G,;^). The participants in 
B have no information on the secret if span(Gi, . . . , G;)n 
span(Gii, . . . , Gi^) — 0- Otherwise, the participants in B 
have partial information on the secret. 

The access structure T of the scheme is the collection of all 
subsets of V that can recover the secret. An element i? G F is 
called a minimal access group if no element of F is a proper 
subset of B. For / = 1, it was shown in fTO] that there is a 
one-to-one correspondence between the set of minimal access 
groups and the set of minimal codewords of with first 
coordinate equal to 1. 

A scheme is said to be perfect if every group in the 
access structure can determine the secret and every group not 
in the access structure has no information about the secret. 
If a scheme is not perfect then some groups have partial 
information on the secret. The scheme that we consider here 
is non-perfect for I > 2. 

The information rate of a scheme is the ratio of the size of 
the secret and maximum size of the share. For perfect schemes, 
the size of each share must be at least as large as the size of 
the secret. An advantage of non-perfect schemes is that the 
size of each share can be smaller than the size of the secret. 
The information rate of the scheme above is /. 

III. Access Structure 

We now describe the access structure of a scheme based on 
a linear code C. In [4], it was shown that any group of size at 
most d^ — I — 1 has no information about the secret and any 
group of size at least n + Z — d + 1 can recover the secret. Here 
= we show that no group of size at most — Z — 1 is in the 
access structure, where is the Ith generalized Hamming 
weight of C (cf. Corollary |2]l. Since d^ is not so easy to 
determine for Z > 2, we also show that the size of an access 
group is at least ^{d-^ — I), where d-^ is the minimum weight 
of (cf. Corollary |3]l. This bound is weaker than the one 



given by d^, but easier to calculate. We are going to use the 
following proposition which is an extension of the approach 
in liOl. 

Proposition!: Let B = {P,^, . . . , P,^^} C V. Then the 
participants in B can determine s if and only if there exist 
codewords Vj G C^, 1 < j < I, satisfying the following 
conditions: 

i. The subvector of Vj consisting of its first I coordinates is 
equal to the jth unit vector Cj in F^. 

ii. supp(t7j) C {j, 

Proof: Suppose there exist codewords G C^, 1 < j < 
I, satisfying conditions (i) and (ii). For j = 1, ... ,1, we have 



S ■ Vi 



r=l 







for some constants ajr, I < r < m, which are not all zero. 
Hence, the secret s can be determined as a linear combination 
of the shares of participants in B. 

Suppose the participants in B can determine the secret. Then 
for each j = 1, we have an equation of the form 



r=l 



for some constants jijr, 1 < r < m, which are not all zero. 
The equation can be rewritten as 

(ci,C2, . . . ,Cl,Cl+i, . . . ,Cl+n)- 

(e;,0,...,-/3,i,...,-/3,„„0,...,0) -0. 

Now the codewords (cj, 0, . . . , —(3ji, . . . , —(3j,n, 0, . . . , 0) are 
in C"*- and satisfy conditions (i) and (ii). ■ 
Example 1: Let Ci be the [8, 3, 4] linear code over F3 with 
generator matrix 



G 



1 2 2 1 1 
10 12 12 1 
1 2 1 2 



We consider the scheme based on the dual of Ci with I = 2 
(so we have 6 participants). Applying the proposition, we can 
verify that the access structure consists of 4 groups of size 5 
and 1 group of size 6. 

Example 2: Consider the scheme based on the [8,4,4] 
extended binary Hamming code with Z = 3. In this case, we 
have a total of 5 participants. There are 4 groups of size 4 and 
1 group of size 5 in the access structure. 

Corollary 2: Any group of — Z — 1 or less participants 
is not in the access structure where df^ is the /th generalized 
Hamming weight of C^. 

Proof: The Zth generalized Hamming weight of a linear 
code is the minimum support of its subcodes of dimension 
I. A minimal access group B = {Pi^ , • • • , Pi,„ } corresponds 
to an [I + n, I] subcode V of such that supp(2?) = 
{1, . . . , ii, . . . , im}. Hence, m > — I. ■ 

Corollary 3: If / > 2 then any group of — ^) — 1 or 
less participants is not in the access structure. 



Proof As in the proof of Corollary IH a minimal access 
group of size m corresponds to an [I + n, I] subcode V of C"*" 
whose support has size / + to. Moreover, deleting the first I 
coordinates of V as well as those coordinates which are not in 
its support yields a binary [to, I] code of minimum weight at 
least — I. Recall that A{N, 6) is the maximum size of a (not 
necessarily linear) code of length N and minimum weight at 
least S. The above yields A{m, d^ — I) > 2'^ > 2. On the other 
hand, it is well-known that A{N, 6) < 2 whenever N < |<5— 1. 
This yields to > |(fi^ - /). ■ 
Proposition 4: When all participants come together and at- 
tempt to determine the secret, [^^^J cheaters can be detected. 

Proof: Deleting the first I coordinates of C results in a 
code with minimum distance d — I. ■ 

IV. g-FOLD JOINT WEIGHT ENUMERATOR 

We describe the connection between the 5-fold joint weight 
enumerator and the access structure. The g-fold joint weight 
enumerator is a generalization of the joint weight enumerator 
(see 15 1). 

Definition 1: Let Ai, A2, . . . , Aghe codes of length n over 



Fg. The g-fold joint weight enumerator of Ai,A2, 
defined as follows: 



,Ag is 



where 



cieAi,...,Cg£Ag aG¥^ 



0. 



(cli, . . . , Cgi)}\, and Cj^ = 1 if Cji ^ and Cji = if cj 
Here {xa;a G Ff) is a 23-tuple of variables with Ff, that is, 
(a;oo...o, 2^00...!, ■ ■ ■ 

First we consider the case / = 2, i.e. the secret s — (si, S2). 
For simplicity, we use the corresponding decimal representa- 
tion of the subscripts of the variables in the g-fold joint weight 
enumerator. Let Ti — {1} and T2 = {2} with indicator vectors 
1ti and Itj respectively. Consider the 4-fold joint weight enu- 
merator J^ij,_^.iT2-C^.c^{^a) where a £ Fj. We are interested 
in the coefficient 0:102:5. The coefficient is a polynomial in 
2:02:10:22:3 and it gives information on the number and supports 
of pairs of codewords u,v e whose first two coordinates 
are (ui,0) and (0,W2) respectively, where ui and V2 are both 
non-zero. In general, for secrets of length I we use the 2Z- 
fold joint weight enumerator J^ij,_^....^ij,^^c^,...,c^{^a',a G Fj') 
where a € Fj'. The following theorem generalizes a result in 
|6| where Jacobi polynomials were used. 

Theorem 5: Let Xi be the subset of F|' consisting of 
all vectors whose first / coordinates are zero and let 
X2 '■= {(ej,ej) I i G {1, where e-j G Fg is 

the j'th unit vector Then the coefficient of IlaeXg ™ 
JiTi.-AT,,c-^,...,c-^{xa;a e ¥f) is a polynomial p{xa;a G 
Xi). Identify Xi with {0,...,2' — 1} via the binary number 
representation and write 



P = 



aeXi 
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Then the number Mc{m) of groups of size m in the access 
structure of the scheme based on C satisfies 

Afc(m) <^c^, 

where the sum is over all /i with X)?=i^ — Moreover, if 
m < Id"*- — 1 then equality holds. 

Proof: The sum of the coefficients c^, where ~ 
TO, equals the number of tuples (t/i, . . . , u/) of elements of 
such that the projection of Vj onto the first I coordinates is the 
jth unit vector in Fj, and 

I ^]=i supp(wj) n {/ + 1, . . . , ? + n}| = TO. 

Hence due to Proposition [T] every such tuple determines a 
group in the access structure of the scheme based on C, and 
every minimal access group occurs as a union of supports 
of such a tuple. However, in general there may be different 
tuples of codewords that correspond to the same access group. 
In this situation, there exists a tuple (t/i, . . . , u/) as above and 
an element c € such that 

supp(c) C U^-^;^ supp(i/j) r\ {I + I, . . . ,1 + n}. 

Then for any j e {!,..., I}, \ supp(c) n supp(wj) n {/ + 
!,...,? + n}| > wt(c) + wt(wj) — 1 — TO and hence 

< wt(c + Vj) 

< 1 + TO — (wt(c) + wt^Vj) — 1 — to) 

< 2TO + 2-2d-^, 

which yields to > — 1. Hence if to, < — 1 then 

the sum of the coefficients with Mi = equals the 

number of access groups of size to. ■ 

If C is self-orthogonal then there exists a weaker condition 
than the one in Theorem |5] under which the number of access 
groups of size to can be read off from the 2Z-fold joint weight 
enumerator To state this condition, we need the notion of the 
code extension enumerator below. 

Definition 2: Let D be a linear self-orthogonal [N,k,d\ 
code. The code extension enumerator is the complex poly- 
nomial 

c 

where the sum is over a system of representatives of /D. 

Clearly deg(PD) < d, and a summand in Poit) gives 
rise to a linear self-orthogonal [N, fc + 1, d'] code. 

Now consider a secret sharing scheme based on a binary 
self-orthogonal linear code C and let {vi, . . . ,vi) he a tuple of 
elements of giving rise to an access group of size to, as in 
Proposition [T] Let V be the linear code generated by the Vj, 
where the columns where all the vj are zero are deleted. Then 
■D is a self-orthogonal [/ + to, /] code of minimum distance at 
least d^. 

Assume that there exists another tuple of elements of 
leading to the same access group, i.e. in Theorem |5] we 



have strict inequality for Mc{m). Then there exists a nonzero 
element c G with supp(c) C U^-^;^ supp(uj) n + 
1, . . . , Z + n}. Let (c)' e F2'*'™ be obtained from c by deleting 
the coordinates where all the Vi are zero. Then ((c)', 2?) has 
minimum weight at least d^, hence gives rise to a summand 
fiim'^T^)) in Pi,(t), where d{{{c)' ,V)) > d^. This yields 

Corollary 6: Consider a secret sharing scheme based on 
a self-orthogonal linear code C and let T be the set of all 
tuples in that give rise to an access group of size to (cf. 
Proposition [U. For a tuple {vl, . . . ,vi) G T, \et 'D{vi, . . . ,vi) 
be the code generated by the Vj, in which the columns 
where all the vj are zero are deleted. If for all such tuples, 
all monomials in Pv(vi,....v,){'t) (except for the monomial 
corresponding to G have degree less than d^ then 

equality holds in Theorem|5] i.e. the number of groups of size 
TO in the access structure of the scheme based on C can be 
read off from Jiy^,...,iy^,c-i-,...,c^- 

V. Binary self-dual codes 

In this section, we focus on schemes based on binary self- 
dual codes and the case / — 2. Based on the previous section, 
we use J^1t-^.1t2,c.c{xoj ■ • ■ i 2:15) and determine the coefficient 
of 2:10X5. Let us denote this coefficient by Z. Under some 
conditions, we can determine Z using the biweight enumerator 
of C. 

Proposition 7: Let C be an [n, k, d] binary self-dual code. 
If C has a 2-transitive automorphism group then 

1 32 

Z = —, — ^ — ^ — Jc.c{xo,Xi,X2,X3) 

n[n — 1) OX2UX3 

1 

= —7 TTT. 7. Jc,c{xo,Xi,X2,X3). 

n(n — Ij OX3OX2 

Proof: The first part of the proof is taken from fT\. We 
can write the biweight enumerator as 

Jcfi{xo,xi,X2,X3) = A^^j^kdxlx{xlx\ 

where Aij,k.i is the number of pairs of codewords with noo = 
i,noi — j,nia — fc, rin ~ I. For a given coefficient Aij^k,i 
and coordinate position h, let Nh{i,j,k,l) be the set of all 
pairs of codewords in C which contribute to Aij^k,i and with 

n 

01 pattern at h. It follows that ^ \Nhii, j, k,l)\ = jA^^^k^i 

h=l 

since any pair in Nh has j positions with the 01 pattern. 
Since the automorphism group is transitive then |iV/i(i, j, fc, l)\ 
is independent of h. Thus, |iV;i(i, fc, /)| = ^Ai,j^k,i and in 
particular, \N2{iJ,k,l)\ = j^Aij^kj. 

Let Nl^{i, j, k,l) be the set of all pairs of codewords in 
N2{i,j,k,l) with 10 pattern at position h. Using the arguments 
above and since the automorphism group is 2-transitive, then 
\N'f^{i,j,k,l)\ is independent of h and 

\N'^{^,J^k,l)\^^\N2i^.J,k,l)\ 
n — 1 

— A 
7i(ri — 1) 
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The proposition now follows. ■ 
Since the following examples deal with self-dual codes, we 
shall remark the following. 

Proposition 8: For a secret sharing scheme with I = 2 
based on a self-dual binary code C, the size of every minimal 
group in the access structure is even. 

Proof: A minimal access group of size m in the access 
structure corresponds to a pair (z/i,W2) of words in = C 
such that vi = (1 . . . ) and V2 = (0 1 . . . ) and m = 
|(supp('Ui) U supp(v2)) — {1, 2}|. The latter equals wt(wi) — 
1 +wi{v2) — 1 — I supp(vi) n supp(v2)|- Since C is self-dual, 
the weight of every word in C is even. Moreover, the parity 
of I supp(ui) n supp(-i/2)| equals the inner product of vi with 
V2, hence is zero as well. Hence m is even. ■ 
Example 3: The automorphism group of the [8,4,4] ex- 
tended Hamming code is 2-transitive and its biweight enu- 
merator is 



Jc,eiXo,Xi,X2,X3) = : 

Uxjxj + Ux^xj + xf + WSxlxlxjxl + Uxjxf^+ 
14x2^0 + '^4:xjxQ + Xq. 

We obtain Z = Axfx^ + 12x1 X1X2X0. When 1 = 2, the total 
number of participants is 6. Since ^d,-^ — 1 = 5, we can read 
off the number of access groups of size 4 as 12. The only 
other access group is the one formed by all participants. 

Example 4: The biweight enumerator of the [24, 12, 8] Go- 
lay code 524 was computed in |^ and it is known that the 
automorphism group of this code is 5-transitive. Applying the 
proposition above, we obtain 

Z = 6160xl'^xlxlx^ + 22176x1° xlxlxl+ 
7392xo°a;f a;2x| + 7392a:o°a:ia;^a;^+ 
26^0x^x1x1 + 73920xlxlxlx^ ' 
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73920xgx^a;^x;^ + 369604a;? a;^a;^+ 
36960a;[;a;?a;^a;^ + 12320a;[;x?a;2a;^+ 
56960x1x1x1x1 + 2661124a;^a;^a;|+ 
73924a;ia;24° + 12320a;^a;ia;^a;^+ 
73924a;ia;^4° + ISASOx^xl'^ xlxl+ 
U78A0x^xlxlxl + 73920x^x1x1x1+ 
ISASOx^xlxl'^xt + 73920xfixlxlxl + 
6160xf)xlxlxl'^ + 36960x1x1x1x1+ 
36960xga;f a;^x^ + 22176xga;f a;^4° + 176x1^x1+ 
672x}ix" + 176x1x1^ + 26A0xlxlxl. 

For the secret sharing scheme based on ^24 with secret lenght 
I = 2, the number of groups in the access structure of size 
m = 10 can be read off from Z as 6160 due to Theorem |5] 
since 10 < ^d^ — 1 = 11. For every tuple {vi,V2) giving 
rise to an access group of size m = 12, we can compute 
PD{vi,v2){t) explicitly, using the information on the pairs of 
codewords that is given by Z. It turns out that in all the cases, 
all monomials have degree less than 8, hence due to Corollary 
|6l the number of access groups of size 12 equals 36960. 



VI. Invariant theory 

Suppose C is an [n, k, d] binary self-dual code. We shall 
apply invariant theory in describing the access structure, 
similar to what was done in ||6j. We consider the case I = 2. 
Thus, we shall look at the 4-fold joint weight enumerator 



Ji 



Ti,iT2 



,c,c 



(xa) where a G F|. 



If all the codewords of C have weights divisible by 4 then 
we have a Type II code. Otherwise, we have a Type I code. In 
[8 1, it was shown that the biweight enumerator of a Type I code 
is invariant under the group Gi generated by all permutation 
matrices, all 16 matrices diag(±l, ±1, ±1, ±1), and 



Ti 



1 
71 



1 


V 



1 

-1 







1 / 



The biweight enumerator of a Type II code is invariant under 
the group G2 generated by Gi and T2 = diag(l, i, 1, i) ITJ. 

Let G stand for Gi or G2 depending on the type of code 
we are dealing with. Following the arguments in fT^ and (§] 
Section III], and using the Mac Williams theorem in |5|, we can 



verify that J'l 



Ti,iT2 



,C,C 



{xa) is left invariant by every element 



of G acting simultaneously on the following sets of variables: 

Vi = {xo, a;i, a;2, 2:3} 

V2 = {x4,,xz,xe,X7} 

V3 = {a;8,a;9,xio,a;ii} 

V4 = {a;l2,a;l3,a;l4,a;l5}■ 
Hence, Jir^ ,1^2 ,c.c(a^a) is a simultaneous invariant for the 
diagonal action of G. As a consequence, we can extend 
the results in [6J regarding the Molien series. Note that the 
exponents of the variables in V4 are always zero, hence we 
can just consider the remaining three sets. The vector space 
of invariants that we are going to use is ^Ixalfj where 
Xa € F2 \ V4 and i,j,k are the total degrees of the variables in 
Vi,V2,V3 respectively. The corresponding generalized Molien 
series ||12J is given by 

00 00 00 

$G(r, s, = E E E dim(C[.Ta]^,, fc) 

i=0 j=0 fc=0 

\G\ ^ det(/ - rg)det(/ - sg)A^l{l - tg) 

Based on the previous section, we are interested in 
dim(C[xa]^i 1). Its generating function in the variable r is 
given by 

d 



Fair) 



dsdt 



(s,i) = (0,0) 

Using MAGMA |[3l, we obtain the following for Type I: 



Fair) = (r^o+ri 



2r' 



2r 

26 



12 



r 24 ^22 

or — 4r 



6r 
■2t' 



18 



4r' 



6r' 



6r' 



4r' 



6^20 



2r^ + l). 
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For Type II we have 

Fair) = (4r^2 ^ 4^54 _^ ^^46 ^ g^38 _^ 7^30 

+ 3r22 + 2ri4 + r^) 

/(r96 _ ^88 _ 2r72 ^ 2r64 - /-e ^ 2^48 

_^40^2r32-2r24-r« + l). 

VII. Conclusion 

We discuss an extension of Massey secret sharing scheme 
and analyze the access structure using the dual code and the 
g-fold joint weight enumerator It would be worthwhile to 
replace symmetry properties (group transitivity) by regularity 
properties (combinatorial designs) in Prop. [T] Note that for 
the scheme based on the extended Golay code, we were only 
able to give a partial description of the access structure. For 
future work, we consider the complete description of the 
access structure. Another interesting problem is to determine 
the access structure of schemes based on other families of 
codes. 
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